1 London Street,
+44 (0)118 951 6200
The GDPR will update existing data protection law to align it more closely with modern technology and the privacy issues raised by today’s information society.
It can be described as “evolution rather than revolution” – the new rules build on the current data protection regime but they do introduce a number of significant changes.
The increased levels of fines which can be imposed for data breaches after the GDPR comes into force have generated most publicity (up to €20 million/4% of global turnover) but the other key changes include:
The Information Commissioner’s website has a lot of useful information on the GDPR but making sense of all the requirements and deciding what to implement (and how) can seem daunting.
Making a Start
Every organisation processes personal data to some extent and the GDPR introduces a new accountability requirement. Article 5(2) provides that “the data controller shall be responsible for, and be able to demonstrate compliance with,” the key GDPR principles. So it is clear that doing nothing is not an option.
The first step is to recognise that GDPR requires a resource commitment. Data protection touches every area of an organisation so a GDPR team should be formed with representatives from operations, IT, finance and HR. It is likely you will need some legal input too.
You cannot make changes to comply with GDPR until you have a full understanding of the organisation’s current position from a privacy perspective. We therefore recommend you begin by undertaking an internal audit to access (amongst other things):
You will then need to review the audit results and decide what changes you need to make (this is a point where legal advice can be useful). The next steps will include some or all of the following:
1. Implement changes (which may include refreshing consents).
2. Consider whether you need to make changes to your IT (in particular to meet the requirements of the new rights of data subjects and to ensure your data is sufficiently secure).
3. Update documentation (for example privacy notices, data protection policy, T&C and contracts for data processing).
4. Consider appointing a data protection officer.
5. Train your staff.
6. Keep proper records of your actions to meet the GDPR’s accountability requirement.
7. Review at regular intervals, e.g. every 6 or 12 months.